Abebot and TrojanDownloader.xs

By rlkscott
Apr 28, 2008
  1. I've been infected with these two things, but McAfee Security is not recognizing them or fixing them for me. I've read other threads on this and it seems very complicated. I am a novice, can anyone help me?

    Also, does anybody know what files are compromised with this infection? Do I need to worry about id or bank theft?
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Hi rlkscott,

    Welcome to Techspot!

    My name is Blind Dragon and I will be helping you with your Malware problem. During the course of our interactions please be sure to follow all instructions carefully, and ask questions if you are unsure of how to proceed at any point.

    This infection is trying to sell you a fake anti-spyware product, you could have other infections that would compromise bank accounts, etc.

    Malwarebytes' Anti-Malware

    • Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please copy and paste the log into your next reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
  3. rlkscott

    rlkscott TS Rookie Topic Starter Posts: 17

    Here is the Malwarebytes' log and HijackThis log. I actually dowloaded and used the SUPERAntiSpyware program before receiving your reply. I think it took care of some of the issues, but this new scan pulled up some other trojans and fake alerts.

    Thanks for all your help!

    Malwarebytes' Anti-Malware 1.11
    Database version: 704

    Scan type: Full Scan (C:\|D:\|)
    Objects scanned: 211494
    Time elapsed: 1 hour(s), 47 minute(s), 18 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 11
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 1
    Files Infected: 13

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\Software\dpcproxy (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\services (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\fwbd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\HolLol (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\mslagent (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Invictus (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\mwc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW (Trojan.DNSChanger) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Documents and Settings\HP_Administrator\Desktop\virii (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\EXPLOR~1.EXE.bak (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\RECYCLER\S-1-5-21-2449135306-3499255201-4030148772-1007\Dc151.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Administrator\Desktop\virii\ (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Administrator\Desktop\virii\Trojan-Downloader.Win32.Agent.p.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Administrator\Desktop\virii\Trojan-Downloader.Win32.Agent.r.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Administrator\Desktop\virii\Trojan-Downloader.Win32.Agent.t.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Administrator\Desktop\virii\Trojan-Downloader.Win32.Agent.v.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\base64.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\zip1.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\zip2.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\zip3.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\zipped.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Administrator\Desktop\blackbird.jpg (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Update your Java Runtime Environment
    • First try going to Start -> Control Panel -> double click Java
    • Select the Update Tab at the top of the Java console
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    • After it installs the newest version Go back to Control Panel -> Add/remove programs
    • Uninstall any older versions of Java

    If for some reason you couldn't update through the above instructions.
    • Click the following link
      Java Runtime Environment 6 Update 5
    • The 4th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder


    • Download Combofix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt
  5. rlkscott

    rlkscott TS Rookie Topic Starter Posts: 17

    Followed your instructions and attached the logs...
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
    O15 - Trusted Zone: http://* (HKLM)

    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

    Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):


    Please note any other programs that you don't recognize in that list in your next response.

    Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

    C:\Documents and Settings\All Users\Application Data\gpwtspmj
    C:\Program Files\AWS

    After that, Reboot, and post a new HijackThis log here in a reply


    Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.


    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
  7. rlkscott

    rlkscott TS Rookie Topic Starter Posts: 17

    I have been out of town and have not been able to attend to your last posting. I will do your above request asap. Thanks for hanging in there with me! I really appreciate your help!
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    not a problem, attach your kaspersky log when done ;)
  9. rlkscott

    rlkscott TS Rookie Topic Starter Posts: 17

    Ran the Domains prog. Copied 1/2 of the new HijackThis Report here. Attached the Kaspersk file. I will send another posting with program files I did not recognize in the add/remove list.
  10. rlkscott

    rlkscott TS Rookie Topic Starter Posts: 17

    deleted this info and added as an attachment in a later posting.
  11. rlkscott

    rlkscott TS Rookie Topic Starter Posts: 17

    These files I did not recognize in the Add/Remove programs list, but we may need them. I have no idea. See if you recognize anything suspicious:

    Customer Experience Enhancement 12.53 MB
    DivX .32MB
    Easy internet sign up 2.50MB
    High Definition Audio Driver Package KB888111
    MSXML 4.0 SP2 KB9327978 2.56MB
    MSXML 4.0 SP2 KB936181 2.62MB
    Windows Installer 3.1 KB893803
    Pynthon 2.2 pywin32extentions (build 203) 29.28MB
    Pynthon 2.2.3 29.28MB
    Wild tangent web driver 1.05MB
  12. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    First, can you try to keep everything as attachments and can you rename your kaspersky scan to .txt instead of .doc, I don't like opening doc files from potentially infected machines.

    I would uninstall the following:
    Otto <- This should be a game but if you don't use it I would remove
    Wild tangent

    Then delete these folders:
    C:\program files\Otto
    C:\program files\Wild Tangent


    Next I want you to get Winpatrol from my signature section and install it. After installed right click the scotty dog Icon in your system tray and select startup info, eliminate some programs from running everytime you start your computer by highlighting them and selecting disable. You will still be able to run these programs but they wont launch every time you turn on the machine. This should improve performance.

    We should also clean up some temp files:
    Download and Run ATF Cleaner
    Download ATF Cleaner by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it.

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    Firefox or Opera:
    Click Firefox or Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.

    In your next reply you should re attach the kaspersky scan as a .txt file. you can change it by right clicking it and selecting rename
  13. rlkscott

    rlkscott TS Rookie Topic Starter Posts: 17

    Here is the Kaspersky report as a txt as an attachment and the most recent HijackThis file as an attachment. I will delete my previous HijackThis posting. Is there some sort of information in there that shouldn't be posted publicly?

    I will tend to your next set of instructions asap.
  14. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    First go back to add/remove programs and uninstall PeoplePC

    Run CFScript

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.


    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
  15. rlkscott

    rlkscott TS Rookie Topic Starter Posts: 17

    I could not uninstall people pc. It is not listed in the add/remove program list and it does not have an uninstall option in the program folder. The only thing I can do is remove the shortcut. I don't know where the actual program file is.

    But I did what you wanted with combofix and hijackthis anyway. However, I'm having trouble attaching the reports to this message. (The attachment icon does not respond when i click on it.) I will try again in a new posting.
  16. rlkscott

    rlkscott TS Rookie Topic Starter Posts: 17

    I still can't attach any files...none of the icons at the top of the reply box are accessible. Am I doing something wrong?
  17. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    You could try going to edit profile on the left of the blue bar above, go down to attachments, then delete all attachments there and try again.

    If that doesn't work you may copy and paste the logs into your reply
  18. rlkscott

    rlkscott TS Rookie Topic Starter Posts: 17

    Was finally able to attach! Sorry for the delay!
  19. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Ok can your run a fresh scan with kaspersky
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...